Business Associate Agreement
HIPAA Compliance Agreement
Last updated: March 23, 2026
This Business Associate Agreement ("BAA") is entered into between Galenie ("Business Associate") and you, the healthcare provider ("Covered Entity"), as required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.
1. Definitions
Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160-164).
- Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium.
- Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media.
- HIPAA Rules: The Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160-164.
- Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
- Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.
2. Obligations of Business Associate
2.1 Permitted Uses and Disclosures
Business Associate agrees to not use or disclose PHI other than as permitted or required by this BAA or as Required by Law. Business Associate may:
- Use PHI for the proper management and administration of Business Associate
- Use PHI to provide Data Aggregation services relating to the healthcare operations of Covered Entity
- Disclose PHI as Required by Law
- Use PHI to report violations of law consistent with 45 CFR 164.502(j)(1)
2.2 Safeguards
Business Associate agrees to implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA. This includes:
- Administrative safeguards as required by 45 CFR 164.308
- Physical safeguards as required by 45 CFR 164.310
- Technical safeguards as required by 45 CFR 164.312
2.3 Our Security Measures
Galenie implements the following security measures to protect ePHI:
| Category | Measures |
|---|---|
| Access Control | Unique user identification, automatic logoff, encryption and decryption |
| Audit Controls | Hardware, software, and procedural mechanisms to record and examine activity |
| Integrity | Mechanisms to authenticate ePHI and protect from improper alteration or destruction |
| Transmission Security | TLS 1.3 encryption for data in transit, integrity controls |
| Data at Rest | AES-256 encryption for stored data, field-level encryption for PII |
| Authentication | Multi-factor authentication available, secure password requirements |
2.4 Reporting
Business Associate agrees to report to Covered Entity:
- Any use or disclosure of PHI not provided for by this BAA of which it becomes aware
- Any Security Incident of which it becomes aware
- Any Breach of Unsecured PHI without unreasonable delay, and in no case later than 60 days after discovery
2.5 Subcontractors
Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this BAA.
Our subcontractors who may process PHI include:
- Cloud Infrastructure: Hosting providers with BAA agreements in place
- AI Processing: OpenAI (with BAA) for optional AI features only when consent is granted
- Payment Processing: Stripe (PCI-DSS compliant, does not process PHI)
2.6 Access to PHI
Business Associate agrees to make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
2.7 Amendment of PHI
Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR 164.526.
2.8 Accounting of Disclosures
Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.
2.9 Compliance with HHS
Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA Rules.
3. Obligations of Covered Entity
Covered Entity agrees to:
- Notify Business Associate of any limitation(s) in the notice of privacy practices that may affect Business Associate's use or disclosure of PHI
- Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI
- Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to
- Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA Rules if done by Covered Entity
- Obtain appropriate consent from patients before enabling AI features that process PHI
4. Term and Termination
4.1 Term
This BAA shall be effective as of the date you accept our Terms of Service and shall continue until terminated as provided herein.
4.2 Termination for Cause
Either party may terminate this BAA if the other party materially breaches this BAA and fails to cure the breach within 30 days of receiving written notice.
4.3 Effect of Termination
Upon termination of this BAA, Business Associate agrees to:
- Return or destroy all PHI received from Covered Entity, or created or received on behalf of Covered Entity, if feasible
- If return or destruction is not feasible, extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible
You may request a complete export of your data before account termination through your account settings.
5. Breach Notification
In the event of a Breach of Unsecured PHI, Business Associate agrees to:
- Notify Covered Entity without unreasonable delay, and in no case later than 60 days after discovery of the Breach
- Provide information necessary for Covered Entity to provide notice to affected individuals, HHS, and the media (if applicable)
- Include in the notification: identification of affected individuals, description of the types of information involved, steps individuals should take, what Business Associate is doing to investigate and mitigate, and contact information
6. Miscellaneous
6.1 Amendment
This BAA may not be modified except by written agreement signed by both parties. However, the parties agree to take such action as is necessary to amend this BAA to comply with changes in HIPAA Rules.
6.2 Survival
The respective rights and obligations of Business Associate under Section 4.3 of this BAA shall survive termination of this BAA.
6.3 Interpretation
Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA Rules.
6.4 Regulatory References
A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
7. Contact Information
For questions about this BAA or to report a potential privacy or security issue:
- Email: [email protected]
- Security Issues: [email protected]